forked from cartsnitch/cartsnitch
fix(dockerfile): add explicit numeric USER 101 for Kubernetes runAsNonRoot
nginxinc/nginx-unprivileged sets USER nginx internally, but the kubelet cannot resolve non-numeric string usernames against OCI image config at container-create time. With runAsNonRoot: true, K3s kubelet reports: "container has runAsNonRoot and image will run as root" Fix: explicitly add USER 101 after the COPY steps. UID 101 is the numeric UID that nginx-unprivileged's nginx user already runs as — this instruction just makes it visible in the final OCI image config layer so the kubelet can verify non-root without username resolution. Companion infra PR cartsnitch/infra#77 adds runAsUser: 101 as immediate unblock while this Dockerfile change propagates through CI. Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Deploy Debbie
@@ -15,6 +15,10 @@ FROM nginxinc/nginx-unprivileged:stable-alpine AS prod
|
||||
COPY --from=build /app/dist /usr/share/nginx/html
|
||||
COPY nginx.conf /etc/nginx/conf.d/default.conf
|
||||
|
||||
# Explicitly declare numeric UID 101 (nginx-unprivileged's nginx user) so
|
||||
# Kubernetes can verify runAsNonRoot without resolving string usernames.
|
||||
USER 101
|
||||
|
||||
EXPOSE 8080
|
||||
|
||||
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
|
||||
|
||||
Reference in New Issue
Block a user